Friday, November 16, 2018

Spoofing file extensions on HackerOne

While testing HackerOne, I observed an issue with the file upload functionality. It seems that on File upload, the uploader uses the content within the file for determining the content type of file instead of filetype .

Although this does not pose much of a risk since the changed extensions would be visible at download time but wanted to blog about this.

You will see a warning from Hackerone, but since the file is txt file so user might just go ahead

User downloads the file, thinking of it as an text file

if the user accidentally ignores the downloaded file extensions opens it then malicious HTML scripts execute

Reason:

Content-Disposition: attachment; filename="" in response from hackerone-attachments.s3.amazonaws.com does not contain filename, forcing browser to decide the naming convention.

Since the Content type got decided on basis of file content header instead of extension by HackerOne so few browser would simply save it on user computer with incorrect extension, which caused the above Scenarios 1 and 2